diff --git a/policy-F12.patch b/policy-F12.patch
index 3e74fc4..77e3cd2 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -812,7 +812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2009-11-18 16:19:22.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2009-11-24 07:36:02.000000000 -0500
 @@ -13,11 +13,34 @@
  interface(`rpm_domtrans',`
  	gen_require(`
@@ -860,7 +860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_run_loadpolicy(rpm_script_t, $2)
  	seutil_run_semanage(rpm_script_t, $2)
  	seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,41 @@
+@@ -146,6 +174,42 @@
  
  ########################################
  ## <summary>
@@ -895,6 +895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 + 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
 + 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
 +	dontaudit $1 rpm_script_tmp_t:file write_file_perms;
++	dontaudit $1 rpm_var_lib_t:file { read write };
 +')
 +
 +########################################
@@ -902,7 +903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -167,6 +230,68 @@
+@@ -167,6 +231,68 @@
  
  ########################################
  ## <summary>
@@ -971,7 +972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -186,6 +311,24 @@
+@@ -186,6 +312,24 @@
  
  ########################################
  ## <summary>
@@ -996,7 +997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
-@@ -219,7 +362,51 @@
+@@ -219,7 +363,51 @@
  	')
  
  	files_search_tmp($1)
@@ -1048,7 +1049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -241,6 +428,25 @@
+@@ -241,6 +429,25 @@
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1074,7 +1075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -265,6 +471,48 @@
+@@ -265,6 +472,48 @@
  
  ########################################
  ## <summary>
@@ -1123,7 +1124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to create, read, 
  ##	write, and delete the RPM package database.
  ## </summary>
-@@ -283,3 +531,99 @@
+@@ -283,3 +532,99 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -1661,7 +1662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +permissive smoltclient_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.32/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/sudo.if	2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/sudo.if	2009-11-24 14:46:21.000000000 -0500
 @@ -66,8 +66,8 @@
  	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
  	allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -3526,7 +3527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te	2009-11-20 08:13:03.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te	2009-11-24 16:47:43.000000000 -0500
 @@ -59,6 +59,7 @@
  manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -4370,8 +4371,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +application_domain(openoffice_t, openoffice_exec_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2009-11-04 08:12:01.000000000 -0500
-@@ -71,6 +71,8 @@
++++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te	2009-11-24 18:08:03.000000000 -0500
+@@ -66,11 +66,14 @@
+ fs_search_dos(podsleuth_t)
+ fs_getattr_tmpfs(podsleuth_t)
+ fs_list_tmpfs(podsleuth_t)
++fs_rw_removable_blk_files(podsleuth_t)
+ 
+ miscfiles_read_localization(podsleuth_t)
  
  sysnet_dns_name_resolve(podsleuth_t)
  
@@ -4380,6 +4387,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	dbus_system_bus_client(podsleuth_t)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.32/policy/modules/apps/ptchown.if
+--- nsaserefpolicy/policy/modules/apps/ptchown.if	2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/ptchown.if	2009-11-24 14:55:43.000000000 -0500
+@@ -18,3 +18,28 @@
+ 	domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+ 
++########################################
++## <summary>
++##	Execute ptchown in the ptchown domain, and
++##	allow the specified role the ptchown domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the ptchown domain.
++##	</summary>
++## </param>
++#
++interface(`ptchown_run',`
++	gen_require(`
++		type ptchown_t;
++	')
++
++	ptchown_domtrans($1)
++	role $2 types ptchown_t;
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2009-09-16 10:01:19.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if	2009-10-05 08:28:56.000000000 -0400
@@ -4852,7 +4891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No types are sandbox_exec_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2009-11-21 19:21:01.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2009-11-24 14:52:59.000000000 -0500
 @@ -0,0 +1,188 @@
 +
 +## <summary>policy for sandbox</summary>
@@ -6188,7 +6227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-10-19 09:11:30.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc	2009-11-24 11:28:10.000000000 -0500
 @@ -47,8 +47,10 @@
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -6217,9 +6256,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
  /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -139,8 +142,11 @@
+@@ -138,9 +141,14 @@
+ /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
  
  /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
  
 +/dev/modem -c	gen_context(system_u:object_r:modem_device_t,s0)
  /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -6229,7 +6271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/pts(/.*)?			<<none>>
  
  /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -148,6 +154,8 @@
+@@ -148,6 +156,8 @@
  /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
  
@@ -6238,7 +6280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +176,7 @@
+@@ -168,6 +178,7 @@
  
  ifdef(`distro_redhat',`
  # originally from named.fc
@@ -6604,7 +6646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if	2009-11-23 17:51:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if	2009-11-23 17:52:24.000000000 -0500
 @@ -44,34 +44,6 @@
  interface(`domain_type',`
  	# start with basic domain
@@ -6640,7 +6682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -791,6 +763,24 @@
+@@ -791,6 +762,24 @@
  
  ########################################
  ## <summary>
@@ -6665,7 +6707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to get the
  ##	session ID of all domains.
  ## </summary>
-@@ -1039,6 +1029,54 @@
+@@ -1039,6 +1028,54 @@
  
  ########################################
  ## <summary>
@@ -6720,7 +6762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to get the attributes
  ##	of all domains unnamed pipes.
  ## </summary>
-@@ -1248,18 +1286,34 @@
+@@ -1248,18 +1285,34 @@
  ##	</summary>
  ## </param>
  #
@@ -6758,7 +6800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Allow specified type to receive labeled
  ##	networking packets from all domains, over
  ##	all protocols (TCP, UDP, etc)
-@@ -1280,6 +1334,24 @@
+@@ -1280,6 +1333,24 @@
  
  ########################################
  ## <summary>
@@ -6783,7 +6825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -1304,3 +1376,20 @@
+@@ -1304,3 +1375,20 @@
  	typeattribute $1 process_uncond_exempt;
  ')
  
@@ -6971,7 +7013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2009-11-23 11:26:09.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if	2009-11-24 10:10:59.000000000 -0500
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -7517,7 +7559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2009-11-18 07:49:22.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if	2009-11-24 18:07:53.000000000 -0500
 @@ -290,7 +290,7 @@
  
  ########################################
@@ -8180,8 +8222,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.32/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc	2009-09-30 16:12:48.000000000 -0400
-@@ -28,6 +28,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc	2009-11-24 11:27:53.000000000 -0500
+@@ -14,6 +14,7 @@
+ /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/etherd/.+		-b		gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+@@ -28,6 +29,7 @@
  /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
@@ -9520,8 +9570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-11-20 08:01:26.000000000 -0500
-@@ -0,0 +1,427 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te	2009-11-24 14:57:35.000000000 -0500
+@@ -0,0 +1,431 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -9856,6 +9906,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
++	virt_transition_svirt(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
 +	vpn_run(unconfined_t, unconfined_r)
 +')
 +
@@ -10102,8 +10156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2009-11-20 08:11:54.000000000 -0500
-@@ -31,16 +31,37 @@
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te	2009-11-24 18:09:07.000000000 -0500
+@@ -31,16 +31,38 @@
  
  userdom_restricted_xwindows_user_template(xguest)
  
@@ -10129,6 +10183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 +# Dontaudit fusermount
 +dontaudit xguest_t self:capability sys_admin;
++allow xguest_t self:process execmem;
 +
  # Allow mounting of file systems
  optional_policy(`
@@ -10141,42 +10196,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		files_dontaudit_getattr_boot_dirs(xguest_t)
  		files_search_mnt(xguest_t)
  
-@@ -49,6 +70,7 @@
+@@ -49,10 +71,9 @@
  		fs_manage_noxattr_fs_dirs(xguest_t)
  		fs_getattr_noxattr_fs(xguest_t)
  		fs_read_noxattr_fs_symlinks(xguest_t)
 +		fs_mount_fusefs(xguest_t)
  
  		auth_list_pam_console_data(xguest_t)
+-
+-		init_read_utmp(xguest_t)
+ 	')
+ ')
  
-@@ -67,7 +89,11 @@
+@@ -67,17 +88,60 @@
  ')
  
  optional_policy(`
 -	java_role(xguest_r, xguest_t)
 +	java_role_template(xguest, xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+	mono_role_template(xguest, xguest_r, xguest_t)
  ')
  
  optional_policy(`
-@@ -75,9 +101,17 @@
- ')
- 
- optional_policy(`
-+	nsplugin_role(xguest_r, xguest_t)
+-	mozilla_role(xguest_r, xguest_t)
++	mono_role_template(xguest, xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
++	nsplugin_role(xguest_r, xguest_t)
+ ')
+ 
+ optional_policy(`
  	tunable_policy(`xguest_connect_network',`
  		networkmanager_dbus_chat(xguest_t)
 +		networkmanager_read_var_lib_files(xguest_t)
-+		corenet_tcp_connect_pulseaudio_port(xguest_t)
-+		corenet_tcp_connect_ipp_port(xguest_t)
-+		corenet_tcp_connect_http_port(xguest_t)
++		corenet_tcp_connect_pulseaudio_port(xguest_usertype)
++		corenet_all_recvfrom_unlabeled(xguest_usertype)
++		corenet_all_recvfrom_netlabel(xguest_usertype)
++		corenet_tcp_sendrecv_generic_if(xguest_usertype)
++		corenet_raw_sendrecv_generic_if(xguest_usertype)
++		corenet_tcp_sendrecv_generic_node(xguest_usertype)
++		corenet_raw_sendrecv_generic_node(xguest_usertype)
++		corenet_tcp_sendrecv_http_port(xguest_usertype)
++		corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++		corenet_tcp_sendrecv_ftp_port(xguest_usertype)
++		corenet_tcp_sendrecv_ipp_port(xguest_usertype)
++		corenet_tcp_connect_http_port(xguest_usertype)
++		corenet_tcp_connect_http_cache_port(xguest_usertype)
++		corenet_tcp_connect_flash_port(xguest_usertype)
++		corenet_tcp_connect_ftp_port(xguest_usertype)
++		corenet_tcp_connect_ipp_port(xguest_usertype)
++		corenet_tcp_connect_generic_port(xguest_usertype)
++		corenet_tcp_connect_soundd_port(xguest_usertype)
++		corenet_sendrecv_http_client_packets(xguest_usertype)
++		corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++		corenet_sendrecv_ftp_client_packets(xguest_usertype)
++		corenet_sendrecv_ipp_client_packets(xguest_usertype)
++		corenet_sendrecv_generic_client_packets(xguest_usertype)
++		# Should not need other ports
++		corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
++		corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
++		corenet_tcp_connect_speech_port(xguest_usertype)
++		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
++		corenet_tcp_connect_transproxy_port(xguest_usertype)
++	')
  	')
++
++optional_policy(`
++	gen_require(`
++		type mozilla_t;
++	')
++
++	allow xguest_t mozilla_t:process transition;
++	role xguest_r types mozilla_t;
  ')
  
 -#gen_user(xguest_u,, xguest_r, s0, s0)
@@ -10329,7 +10420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-11-23 16:38:25.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-11-24 10:11:37.000000000 -0500
 @@ -33,12 +33,23 @@
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
@@ -10376,7 +10467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
  
  kernel_read_ring_buffer(abrt_t)
-@@ -75,10 +89,17 @@
+@@ -75,18 +89,29 @@
  
  corecmd_exec_bin(abrt_t)
  corecmd_exec_shell(abrt_t)
@@ -10394,7 +10485,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_getattr_all_files(abrt_t)
  files_read_etc_files(abrt_t)
-@@ -87,6 +108,7 @@
+ files_read_usr_files(abrt_t)
+ 
++files_dontaudit_list_default(abrt_t)
++files_dontaudit_read_default_files(abrt_t)
++
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
  fs_getattr_all_dirs(abrt_t)
@@ -10402,7 +10497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  sysnet_read_config(abrt_t)
  
-@@ -96,22 +118,64 @@
+@@ -96,22 +121,64 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -10418,15 +10513,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	nis_use_ypbind(abrt_t)
 +')
-+
-+optional_policy(`
-+	nsplugin_read_rw_files(abrt_t)
-+	nsplugin_read_home(abrt_t)
-+')
  
  optional_policy(`
 -	dbus_connect_system_bus(abrt_t)
 -	dbus_system_bus_client(abrt_t)
++	nsplugin_read_rw_files(abrt_t)
++	nsplugin_read_home(abrt_t)
++')
++
++optional_policy(`
 +        policykit_dbus_chat(abrt_t)
 +	policykit_domtrans_auth(abrt_t)
 +	policykit_read_lib(abrt_t)
@@ -12321,7 +12416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xserver_domtrans(apmd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
 --- nsaserefpolicy/policy/modules/services/arpwatch.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2009-11-19 09:58:31.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te	2009-11-23 18:38:59.000000000 -0500
 @@ -34,6 +34,7 @@
  allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
  allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12330,6 +12425,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
  manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -46,6 +47,7 @@
+ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+ 
++kernel_read_network_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+ kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if
 --- nsaserefpolicy/policy/modules/services/asterisk.if	2009-09-16 10:01:19.000000000 -0400
 +++ serefpolicy-3.6.32/policy/modules/services/asterisk.if	2009-11-09 12:03:06.000000000 -0500
@@ -16090,17 +16193,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	logging_send_syslog_msg($1_milter_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te	2009-10-22 10:43:01.000000000 -0400
-@@ -16,7 +16,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te	2009-11-24 07:19:34.000000000 -0500
+@@ -16,7 +16,8 @@
  #
  # ModemManager local policy
  #
 -
++allow modemmanager_t self:capability sys_admin;
 +allow modemmanager_t self:process signal;  
  allow modemmanager_t self:fifo_file rw_file_perms;
  allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
  allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -24,6 +24,7 @@
+@@ -24,6 +25,7 @@
  kernel_read_system_state(modemmanager_t)
  
  dev_read_sysfs(modemmanager_t)
@@ -17568,7 +17672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/nut.te	2009-11-13 15:34:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/nut.te	2009-11-24 15:02:36.000000000 -0500
 @@ -0,0 +1,138 @@
 +
 +policy_module(nut,1.0.0)
@@ -17608,7 +17712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# upsd local policy
 +#
 +
-+allow upsd_t self:capability { setuid setgid };
++allow upsd_t self:capability { dac_override setuid setgid };
 +
 +allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow upsd_t self:tcp_socket create_stream_socket_perms;
@@ -23985,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if	2009-10-28 12:01:39.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.if	2009-11-24 14:56:29.000000000 -0500
 @@ -136,7 +136,7 @@
  	')
  
@@ -24026,19 +24130,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	tunable_policy(`virt_use_nfs',`
  		fs_manage_nfs_dirs($1)
-@@ -304,8 +306,79 @@
+@@ -304,7 +306,7 @@
  	')
  
  	tunable_policy(`virt_use_samba',`
 -		fs_manage_nfs_files($1)
- 		fs_manage_cifs_files($1)
 +		fs_manage_cifs_files($1)
-+		fs_read_cifs_symlinks($1)
-+	')
-+')
-+
-+########################################
-+## <summary>
+ 		fs_manage_cifs_files($1)
+ 		fs_read_cifs_symlinks($1)
+ 	')
+@@ -312,6 +314,77 @@
+ 
+ ########################################
+ ## <summary>
 +##	Allow domain to read virt image files
 +## </summary>
 +## <param name="domain">
@@ -24104,10 +24208,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	tunable_policy(`virt_use_samba',`
 +		fs_list_cifs($1)
 +		fs_read_cifs_files($1)
- 		fs_read_cifs_symlinks($1)
- 	')
- ')
-@@ -346,3 +419,95 @@
++		fs_read_cifs_symlinks($1)
++	')
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to administrate 
+ ##	an virt environment
+ ## </summary>
+@@ -346,3 +419,124 @@
  
  	virt_manage_log($1)
  ')
@@ -24184,6 +24294,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++#
++interface(`virt_transition_svirt',`
++	gen_require(`
++		type svirt_t;
++	')
++
++	allow $1 svirt_t:process transition;
++	role $2 types svirt_t;
++
++	optional_policy(`
++		ptchown_run(svirt_t, $2)
++	')
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete
 +##	svirt cache files.
 +## </summary>